At some point in your life, you’ve probably had the experience of meeting someone who you feel you ought to like but, no matter how hard you try, you just can’t seem to gel with them - awkward silences creep into conversations and you find that, while you may share similar values, the ways you each go about approaching things are just different. Ultimately, despite both your best efforts, there’s just no chemistry.
That’s what I imagine Europe’s GDPR and e-Privacy Directive would be like as playmates, if only they were people. They share common values - the protection of individuals’ fundamental rights to privacy and to data protection - and yet, try as they might, they just don’t play together all that nicely.
Unambiguous consent for cookies?
Nowhere is this more apparent than when it comes to the issue of cookie consent. The e-Privacy Directive is a lex specialis (meaning a law that deals with a specific subject matter - in this case, the preservation of privacy over electronic communications channels). It sits alongside the current Data Protection Directive / soon-to-be-in-effect GDPR (I’ll just say GDPR from hereon), setting out special rules deal with things like the privacy of communications content and metadata, e-marketing, and - of course - cookie requirements. The GDPR applies for any wider data protection issues concerning personal data which aren’t addressed by the e-Privacy Directive.
So far, so good, but the treatment of cookies under these two laws raises a real conundrum. In 2009, the e-Privacy Directive was updated to require “consent” for all non-essential cookies. This led to a flurry of activity all across online Europe, as websites everywhere hurriedly erected cookie consent banners. It also led to heated debate between regulators, industry, lawyers, and civil advocacy groups as to whether consent could be “implied” through the mere display of a cookie banner and continued browsing of a website, with cookies being dropped at the same time the cookie banner was displayed. Whatever the rights and wrongs of that debate, implied consent quickly became the norm.
What practical effect does that have? While it’s not entirely certain, it seems that the use of implied cookie consent mechanisms is, at least in principle, still possible - even if not what regulators would really like to see. Unambiguous consent requires a “clear affirmative action” on the part of the website visitor - and, so, if a website makes sufficiently clear that continued navigation amounts to consent, and a visitor continues to navigate a website (the affirmative action) after having been given this information and the opportunity to decline cookies, then there is at least a decent argument that an unambiguous consent was given.
I say “decent argument” because the ability to maintain that an implied consent is unambiguous depends upon at least a couple of critical factors: first, the prominence of the cookie banner itself - a banner which is buried out of sight, or which uses font sizes or colouring that make it near impossible to read will not serve to sufficiently inform the visitor that their continued use of the website will amount to consent, and so no unambiguous consent can be obtained; second, the timing of the cookie drop - if cookies are dropped at the same time as the banner, as is very often the case today, then it’s more-or-less impossible to maintain any argument that the visitor “unambiguously” consented to those cookies, given that they only learned about them after the cookies had already been served. To have a decent argument for unambiguous implied consent, the user at least needs to be informed about, and have the opportunity to decline, cookies before they get served.
The “consent + legitimate interests” debate
There is a more challenging and technical problem, however, and this is the interplay of the need to get cookie “consent” under the e-Privacy Directive and the requirement to have a lawful basis for processing personal data under Article 6 of the GDPR.
This might seem like a somewhat academic debate, but it has some important regulatory and practical implications. For one thing, if your lawful basis for processing personal data under GDPR is consent, then - at least, according to regulatory guidance - there are greater obligations to identify by name (rather than by category) the third parties with whom data may be shared. For another, you also need to keep verifiable consent records (not a requirement for legitimate interests). Next, the Right to be Forgotten becomes more powerful where consent is the lawful basis under the GDPR (the individual simply has to withdraw consent). And data portability rights are also triggered with consent, whilst they don’t apply when processing is based upon legitimate interests.
This inevitably will lead some businesses to prefer a “consent (e-Privacy) + legitimate interests (GDPR)” approach, and again there are grounds for considering this a reasonable thing to do. The e-Privacy Directive, while it complements the GDPR, is a separate piece of legislation, and its consent requirements serve a subtly different purpose to the requirement to have lawful processing grounds under the GDPR (consent under e-Privacy is for access to or storage of information on an end user’s terminal equipment, while a lawful basis under GDPR is needed for processing of personal data).
For any business reliant upon cookie use - especially ad tech and analytics providers - being able to build compliance off of a “consent + legitimate interests” approach may seem far more workable from an operations standpoint, given the regulatory overhead and complexities of a “consent + consent” approach. It also potentially lends itself more naturally to reflecting the respective roles of the website provider and the ad tech / analytics provider in cookie-based processing - with the website publisher taking on responsibility to get consent (under e-Privacy) from website visitors for the ad tech / analytics provider’s cookies, and the ad tech / analytics provider then basing its subsequent processing of cookie data on legitimate interests (under GDPR).
This approach is not without its challenges though. For one thing, it’s very complicated to articulate - and not everyone agrees that ad tech or analytics tracking is a legitimate interest - and because of that it seems likely to meet resistance from civil advocacy groups and data protection authorities. Relying instead on a single unified consent to satisfy both e-Privacy and GDPR requirements makes for a simpler, arguably more attractive, compliance narrative - the fact that it presents significant operational and compliance challenges for businesses won’t interest the regulatory community whose focus instead is on the preservation of fundamental rights.
Ultimately there’s no definitive legal right or wrong to this issue, only subjective interpretations and the ideologies of different interested groups. With the forthcoming e-Privacy Regulation set to replace the current e-Privacy Directive at some point in the future, a thoughtful approach, properly and thoroughly debated by the European legislative institutions, is desperately needed to to ensure better alignment between e-privacy rules and the GDPR going forward. Without this, ambiguity looks set to continue, and the e-privacy rules and the GDPR will continue to remain uncomfortable bedfellows.