Support Centre



The Ultimate Cookie Handbook for Privacy Professionals

Law & Regulations

1. What is the territorial scope of the ePrivacy Directive? Does the establishment of the organisation running the website, the location where data is hosted, the place where the majority of traffic is coming from, or the market of the website, play a role in the identification of the national applicable legislation?

The ePrivacy Directive does not have any provisions that expressly set out its geographical scope of application. However, its relationship with the GDPR must be considered in order to understand its territorial scope of application.

Firstly, it must be considered that Article 94 of the GDPR repeals the old Data Protection Directive and provides that any reference to the repealed Directive shall be construed as references to the GDPR.

The ePrivacy Directive must be thought of as a specialised subset of rules falling under the broader privacy framework established by the GDPR.

In fact, Recital 10 of the ePrivacy Directive provides that, with reference to the electronic communications sector, Directive 95/46/EC [now GDPR] applies to all matters concerning protection of fundamental rights and freedoms, which are not specifically covered by the provisions of Directive 95/46/EC [now GDPR], including the obligations on the controller and the rights of individuals.

And Article 1(2) of the ePrivacy Directive also states that the provisions of the ePrivacy Directive particularise and complement Directive 95/46/EC’ [now GDPR].

Therefore, since the ePrivacy Directive does not expressly address its territorial scope of application, Article 3 of the GDPR, regulating its territorial scope, acquire relevance in the context of the ePrivacy Directive.

The EDPB Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR stated that the use of cookie triggers the application of both the ePrivacy Directive and the GDPR.

Therefore, when the use of cookies implies the processing of personal data, the GDPR, and its territorial scope as a consequence, will find application.

The EDPB further outlined that, for the ePrivacy Directive to be applicable, the service and network must be offered in the EU. In addition, it stated that Articles 5(3) of the ePrivacy Directive not only apply to providers of electronic communication services, but also to website operators or other businesses.

Lastly, Article 3 of the ePrivacy Directive states that its application will cover any processing of personal data carried out in connection with the provision of publicly available electronic communications services in public communications networks in the Community.

2. Is the cookie legislation applicable to organizations’ intranet, for example in the employment context?

Article 3 of the ePrivacy Directive states:

‘This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices.’

The EDPB Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities outlines that the ePrivacy Directive applies when each of the following conditions are met:

  • there is an electronic communications service;
  • this service is offered over an electronic communications network;
  • the service and network are publicly available;
  • the service and network are offered in the EU.

Examples of activities which do not meet all of the above criteria and are generally out of scope of the ePrivacy Directive:

  • [A corporate network which is accessible only to employees for professional purposes does not constitute a ‘publically available’ electronic communications service. As a result, the transmission of location data via such a network does not fall inside the material scope of the ePrivacy Directive].

Cookie Consent

1. How does implicit consent pan out with the wider EU approach to valid consent with recent case law?

Recent case law as well as several recommendations and guidelines of regulators across Europe, have deemed implied consent too vague to fulfill the strict sine qua non elements of consent as required by the GDPR. For example, users can continue to navigate a website (e.g. by clicking on the “about” tab instead of closing the window) by mistake. Some devices are quite sensitive and clicking on a website by mistake while dragging the cursor is quite common. In fact, many phishing attacks on the web rely on user mistakes for purposes such as getting a click on an ad to obtain users’ credentials. In an offline/analogue setting, implied consent can indeed work, because there are visible actions that are unmistakably interpreted as consent (e.g. taking something from someone’s hand without saying a word). In this respect, the ICO is of the opinion that in an analogue setting an affirmative action is solid enough for obtaining consent. However, the same may not hold true in an online context.

In addition, the trend of the CJEU has continued to be a strict view of what constitutes valid consent. For example, their decision in the case Planet49 requires a positive and unequivocal action consisting on clicking or switching or toggling preferences in order to interpret valid consent from users, boxes can’t be pre-ticked because this would go against the positive action requirement for consent to be valid. By extrapolation, implied consent would not be upheld if such practice was challenged in court because it fails to pass a strict test of valid consent. For the time being, the Spanish regulator interprets this as an acceptable practice and can be carried out in Spain, provided that other essential elements of consent are fully respected. It is essential to have provided intelligible, unequivocal information to users before interpreting their actions as consenting to tracking technologies and purposes. Clicking on the privacy policy/cookie notice link is not valid implied consent.

2. Can the consent collected within one internet domain be used to place cookies through a separate domain, when both the websites are owned by the same subject? In other words, can consent be transferred among websites developed by the same entity?

In relation to different internet domains owned by the same subject, several European regulators are of the view that the consent obtained for one website can be used for other websites as well, if certain conditions are respected.

For example, the Spanish regulator’s view is that the single website providing services across different domains may use the same consent if the different domains display similar characteristics and are used for the purpose of providing services requested by users. The website must also inform the users about the websites or domains that are held by the same website provider. Lastly, in case the website provides different services and display characteristics or offer contents which are not similar, additional precautionary measures must be implemented.

In addition, the Dutch supervisory authority notes that, if the user has been informed about the intended us of cookies and about different domains, the user’s consent may be valid for multiple domains. The user must also be offered the opportunity to browse through a comprehensive list of domains, so that there has been a free and specific expression of will. The bundled consent must reasonably be an expectation for the user, and the websites must offer the same type of service.

Lastly, the Italian supervisory authority provides for the same requirement, but in relation to the cookie policy. The website can provide a single cookie policy for different websites. The cookie policy must contain an always updated list of all the domains in which the processing is carried out through cookies.

3. Can users' cookie preferences be propagated across platforms (e.g. mobile, browser)?

As outlined in the Handbook, publishers use cookies in order to optimize users' searches on the basis of their search history and on results they have been selecting, as well as to tailor their digital advertising activities. This practice, with the increased use of mobile devices to access the internet, faces new challenges with a relevant impact on organisations' practices, since the mobile environment entails new challenges comparative to browsers and personal computers.  Whilst mobile applications and mobile browsers operate on the same physical device, they represent more isolated ecosystems than computers' browsers, and website owners can find more difficult in identifying a user as the same subject when using different apps or the mobile browser. As a result, cookies and other similar technologies, when installed on mobile, may be less effective than on traditional personal computers.

From a European standpoint, it must be noted that the ePrivacy Directive does not provide for a definition of 'terminal equipment'. However, the proposed Draft ePrivacy Regulation considers the definition offered by the Commission Directive 2008/63/EC of 20 June 2008 on competition in the markets in telecommunications terminal equipment, which defines 'terminal equipment' as:

'[…] equipment directly or indirectly connected to the interface of a public telecommunications network to send, process or receive information; in either case (direct or indirect), the connection may be made by wire, optical fibre or electromagnetically; a connection is indirect if equipment is placed between the terminal and the interface of the network […]'.

In addition, the WP29 highlighted in its Opinion 02/2013 on Apps on Smart Devices that apps access data stored on the device, contacts in the address book, pictures, videos and other personal information. Therefore, Article 5(3) of the ePrivacy Directive, requiring consent from the user on the basis of clear and comprehensive information, is to be considered applicable. Therefore, it can be stated that the ePrivacy Directive applies to both personal computer browsers and mobile environments.

The cross-validity of cookie consent represents a topic that yet to be analysed in detail through regulators' guidance and recommendations. However, some of the main data protection authorities, as well as industry organizations, have addressed mobile and cross-mobile consent as a whole in recent guidelines and frameworks, providing organizations with indications on best practices to be put in place in order to ensure a compliant approach.

For example, the ICO confirmed in its guidance that the use of cookies and similar technologies is not limited to traditional websites and web browsers, but also apply to mobile apps. The ICO notes that web application programming interfaces (APIs) are typically used by mobile devices and other hardware, and that they can also store or access information on the user's device. Consequently, the ICO underlines that the mobile app accessing the web API is the place where publishers must incorporate the consent mechanism. However, the ICO recognizes that the limited, and sometimes non-existent, physical interfaces on some internet-connected devices pose challenges when trying to inform users about cookies and their purposes. In this regard, organizations must consider alternative methods of informing users, such as:

  • clear instructions packaged along with the device;
  • information provided during product registration; and
  • the use of a companion mobile app to provide an interface so that information can be provided and consent gained.

In relation to the use of the cookie banner on mobile, the ICO recommends that organizations consider their implementation carefully, particularly in respect of implications for the user experience. For example, a message box designed for display on a desktop or laptop web browser can be hard for the user to read or interact with when using a mobile device, meaning that the consents obtained would be invalid.

Cookie requirements for mobile devices are also addressed by CNIL in its finalised recommendations on cookies. The recommendations confirm that they regulate trackers used by publishers on both websites and mobile applications. With reference to cross validity of consent, CNIL states that, in the case of third party cookies allowing the user to navigate beyond the website/app on which they are initially installed, it is strongly recommended to obtain consent for each website/app visited by the user, so that the latter can be entirely aware of the scope of the consent he provided.

The topic of mobile consent is also partially addressed by IAB Europe in its TCF Implementation Guidelines. In particular, when addressing the storage of consent, the Implementation Guidelines provide that, depending on the publisher preference and on the policy requirements, consent can be stored either locally or globally through a 'shared' cookie. In addition, IAB Europe notes that CMPs are also free to store consent separately and with a different format if needed, provided that, if consent is being stored globally, they keep the shared cookie storing global consent up to date with their local changes.

However, the Implementation Guidelines further state that one of the most common methods for CMPs to store long term cookies is to do it on mobile, through internal data storage. In this regard, IAB Europe reminds that, although this method is easy to implement, affordable, and offers a good user experience, it also has limits, such as:

  • it cannot be used as proof of consent; and
  • it cannot be shared across apps, so device-wide consent may be difficult to achieve.

Lastly, the Implementation Guidelines suggest a combined approach between server-side storage, which enable to store consent for a long time and to share the same across apps, and client-side storage, for a local fast-to-access cache.

4. Can browser settings be considered a lawful way to collect consent?

The regulatory landscape regarding collection of users' consent through browser settings continues to be a topic of discussion.  While there is a broad consensus from an EU legislative perspective, there does not appear to be a harmonized approach from a national standpoint, and still lacks practical recommendations on how to carry out this activity in compliance with the law. Therefore, organizations will have to keep in mind the flexible EU regulatory environment, as well as the varying recommendations issued by national authorities.

Further to the above, Recital 32 of the GDPR addresses the collection of consent through browser settings, even if not specifically in relation to cookies:

'Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her […]. This could include […] choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data'.

On the same, the EDPB specified in its Guidelines 05/2020 on Consent under the GDPR that obtaining consent from internet users via their browser settings is in principle allowed, as long as such settings are developed in line with the conditions for valid consent under the GDPR. Therefore, consent must be granular for each of the envisaged purposes and the information provided should include the identity of data controllers.

While the ePrivacy Directive does not address this topic, the Draft ePrivacy Regulation may allow the setting of cookies through technical settings in Article 4a(2) (here quoted in its last compromise proposal):

'[…] where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet.'

In relation to the above, the EDPS expressed its vision in Opinion No. 6/2017 on the Draft ePrivacy Regulation and stated that the expression 'where technically possible and feasible', as provided by the draft, is not sufficiently clear, and brings the risk of annulling the obligation itself through a too broad a range of possibilities regarding interpretation. The EDPS therefore recommends that the phrase should be replaced by 'where technically feasible', in order to ensure legal certainty as to the scope of the obligation.

In addition, the EDPS also highlights that compliance with the principle of Privacy by Default is necessary. In practice, tools enabling the collection of consent through browser settings must be offered to the user with privacy-friendly default settings, both at the initial set-up and at any other moment when the user changes their devices or software.

From a national perspective, organizations may face different requirements as a result of national ePrivacy legislation, and as further interpreted by national regulators.

The Belgian data protection authority, for example, has noted that consent collected through browser settings is currently not compliant with the requirements of the GDPR. Consent in this form cannot in fact be sufficiently specific in relation to the purposes of the different types of cookies.

In France, although the national ePrivacy Law provides that consent may result from appropriate browser settings on a device belonging to the user, CNIL noted in its Guidelines on cookies that browser settings cannot, according to the current state of art, allow the user to express valid consent. In fact, the Guidelines note that nowadays web browsers, if one hand present users with the possibility to customize their choices in relation to cookies, on the other do not provide a sufficient level of prior information on the same, as well as do not allow to distinguish cookies on the basis of their purposes, which would be necessary to have a freely given consent.

The Irish DPC also stated in its Guidance on cookies that users' browser settings cannot be generally relied upon to infer consent for the setting of cookies, and that the circumstances where browser settings are likely to be considered a valid tool to collect consent are very limited and would need to be assessed on a case-by-case basis.

Lastly, the data protection authority in the Netherlands welcomes user-friendly solutions enabling consent to be given in the browser settings. However, the regulator reminds organisations storing or accessing cookies that they cannot automatically assume that, if a browser accepts cookies, users must have given their consent to the same, since many browsers, by default, accept all cookies. Therefore, if the user has not amended the settings, it cannot be concluded that he/she accepts cookies.

5. Are explicit consent and other derogations under Article 49 of the GDPR a viable option for the transfer of personal data collected and processed via third-party analytic and other kind of cookies following Schrems II?

The highly anticipated Schrems II judgment, as issued by the Court of Justice of the European Union (CJEU) on 16 July 2020, in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) declared, on the one hand, the EU-US Privacy Shield invalid, and, on the other, upheld the use of Standard Contractual Clauses ('SCCs'), providing clarity around the considerations that organizations and authorities should bear in mind if utilized as the transfer mechanism of choice.

When considering the use of cookies and other tracking technologies, organizations often use third party analytic cookies, as well as other kind of third-party cookies, for the purpose of monitoring the users' usage of a website/app. Since the third-party setting cookies may be based in a third country, the use of cookies may imply the collection and subsequent international transfer of personal data. As a result of the Schrems II judgment, organizations are required carry out an assessment of the possible transfer of personal data, in order to see whether the same can be deemed compliant with the judgment of the CJEU.

Organizations have been looking for viable solutions to transfer personal data to third countries post Schrems II, and the possibility regarding the derogations provided by Article 49 of the GDPR has been discussed, which can be implemented when:

  • the third country does not provide adequate protection.
  • no adequate safeguards aimed at providing protection for the data are being implemented.

Having said this, it is important to assess if the derogations can, in fact, be relied upon.

Explicit consent (Article 49(1)(a) of the GDPR)

The EDPB clarified in its latest FAQs on Schrems II that the transfer of personal data on the basis of explicit consent is allowed when the same consent is:

  • explicit.
  • specific for the particular data transfer or set of transfers, meaning that the data exporter must make sure to obtain specific consent before the transfer is put in place, even if this occurs after the collection of the data.
  • informed, with specific reference to the possible risks of the transfer. The data subjects should therefore be informed of the specific risks resulting from the fact that their data will be transferred to a country that does not provide adequate protection and that no adequate safeguards aimed at providing protection for the data are being implemented.

However, the EDPB stressed the fact that explicit consent, as the other derogations under Article 49 of the GDPR, are subject to a narrow interpretation, and must be considered as exceptions, and not as standard rules.

In relation to explicit consent, the Baden-Württemberg data protection authority also issued an orientation guide on the Schrems II case, outlining derogations under Article 49 of the GDPR as one possible transfer mechanism, but also recalling the narrow interpretation of the scope of Article 49 by the EDPB within its Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 and stressing the fact that an exception should not become the rule.

In practice, this derogation may find an application in relation to the transfer of personal data through cookies, given that certain cookies could be set on the basis of consent that re-collected only after a relevant amount of time (for example 6 months or 1 year).

Transfer necessary for the performance of a contract (Article 49(1)(b) of the GDPR)

The EDPB highlights in its FAQs on Schrems II that, in relation to transfers that are necessary for the performance of a contract between the data subject and the controller, organizations should take into consideration that this derogation can find application only when:

  • the transfer is occasional (to be established on a case-by-case basis).
  • the transfer is objectively necessary for the performance of the contract.

However, given the occasional nature of the transfer, it might be challenging to find an application of the above derogation to a transfer of personal data carried out through the setting of cookies.

Lastly, it must be recalled that the EDPB released, following the Schrems II judgment, on 11 November 2020, its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data organizations and Recommendations 02/2020 on the European Essential Guarantees for surveillance measures.

The Recommendations 01/2020 aim to assist controllers as well as processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where the same are needed to ensure an essentially equivalent level of protection data they transfer to third countries.

On the other hand, the Recommendations 02/2020, which constitute an updated version of the ones issued following the Schrems I Case invalidating Safe Harbor, aim to provide guidance on the elements to examine whether surveillance measures allowing access to personal data by either national security agencies or law enforcement authorities in a third country can be regarded as a justifiable interference or not.

Although the above recommendations do not directly address the transfer of personal data carried out through the use of cookies, organizations will have to take them into account when assessing their international data transfer activities.

6. What are the rules for email tracking pixels? How consent can be collected? 

Although there is no recent guidance on the topic, the Article 29 Working Party addressed the same in its Opinion 2/2006 on Privacy Issues related to the Provision of Email Screening Services. In particular, the WP29 refers to the so called 'Did they read it' services used to track email reading by recipients. In addition to the type of web navigator and the operating system used by the email recipients, ‘Did they read it’ services disclose the following information to email senders:

  • whether the email has been read by the addressee(s);
  • when it was read;
  • how many times it has been read (or at least opened);
  • if it has been transferred to others; and
  • to which email server, including its location.

The WP29 notes that, in order to carry out the above data processing activities, unambiguous consent from the recipient of the email is necessary. No other legal grounds can in fact justify the processing.

Another reference to email tracking pixels is included in the UK Information Commissioner's Office ('ICO') guidance on cookies and similar technologies. In particular, the guidance provides the example of an organisation conducting electronic marketing and incorporating a tracking pixel within emails in order to record information including the time, location, and operating system of the device used to read the email. The ICO notes that, whilst the majority of electronic mail marketing is governed by Regulation 22 of PECR, where tracking pixels store information, or gain access to information stored, on a user's device, Regulation 6 of PECR, regulating cookie consent in the UK, will also apply.

The ICO reiterates its position on tracking pixels in its Draft Direct Marketing Code of Practice, providing that organisations using tracking pixels within direct marketing emails need to be aware of the fact that:

  • Regulation 22 of PECR applies to the email itself; and
  • if the pixel involves storing information, or accessing information stored, on the device used to read the email, such as its location or operating system, then PECR's rules on cookies and similar technologies will also apply. 

From a practical standpoint, it must be noted that in the above circumstance tracking pixels are being set in the email. Therefore, the collection of cookie consent will have to be carried out in alternative ways, considering that the user would not necessarily access a website, where he/she is usually presented with a 'cookie banner.

7. Why did the French Conseil d’Etat rule against CNIL'S position on Cookie walls?

On 19 June, 2020 the Conseil d'Etat – which is the highest administrative court in France – issued decision No. 434684 that ruled on CNIL's powers to issue guidelines for compliance with data protection legislation, validating CNIL’s guidelines in general and, overruling CNIL's position on cookie walls. The Conseil d’Etat did not rule over the substance of CNIL’s position on cookie walls, it ruled over CNIL’s capacity to issue such general and prohibitive policies.

The Guidelines issued by CNIL (délibération n° 2019-093 du 4 juillet 2019 de la Commission nationale de l’informatique et des libertés [CNIL] portant adoption de lignes directrices relatives à l’application de l’article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture et écriture dans le terminal d’un utilisateur [notamment aux cookies et autres traceurs]) were challenged by a consortium of professional associations and unions in the e-commerce sector (i.e. l’association des agences-conseils en communication, la fédération du e-commerce et de la vente à distance, le groupement des éditeurs de contenus et services en ligne, l’Interactive Advertising Bureau France, la Mobile Marketing Association France, le syndicat national communication directe de la data à la logistique, le syndicat des régies internet, l’union des entreprises de conseil et d’achat media et l’union des marques). These organisations filed a summary request at the litigation secretariat of the Conseil d'Etat requesting the invalidation of the CNIL Guidelines. The request for invalidation was sustained on the grounds of excessive power on the part of CNIL issuing obligations that lie beyond their realm of competence.  

In their request, the consortium posed several questions challenging the power of CNIL and the current interpretation of article 2(f) of the ePrivacy Directive when read in light of Articles 4(11) and 95 of the GDPR (e.g.). The main challenge in the request was whether offers and contracts relating to access to digital content and services, under which the consumer undertakes to provide personal data to the professional are to be prohibited? The claimants went on to ask if, in case of a negative answer, should the aforementioned provisions be interpreted as banning CNIL from establishing a general prohibition offers and contracts relating to access to digital content and services where the exchange of personal data is required? Quite a binary approach from the claimants.

The formulation of the request was longer and included a sub-set of questions circling around the above two points, as well as more specific challenges relating to the use of tracking technologies and the limits of the consenting requirements established by CNIL. The request stressed on the applicable provisions that limit the use of 'cookie walls,' which - they claimed - in and of itself, unduly undermines the right to freedom of information as well the freedom to conduct business.

In its decision No. 434684, the Conseil d'Etat mandated the deletion of paragraph 4 in Article 2 of CNIL’s recommendations prohibiting the use of Cookie Walls. The Conseil d'Etat ruled that the interpretation by CNIL of the requirements laid down in Article 4(11) GDPR was relying on a general and absolute prohibition inferred from the sole concept of "freely given consent". As a result the Conseil d'Etat overruled CNIL's powers on the general and absolute prohibition to rely on cookie walls.

8. Is legitimate interest a viable legal basis for the use of cookies?

Within the European landscape, it must be firstly considered that the ePrivacy Directive details that the use of cookies and other similar tracking technologies must be only allowed on condition that the subscriber or user concerned has given his/her consent, after having received clear and comprehensive information, with the exception of cookies that are strictly necessary for the operation of the website/application.

However, some of the European data protection regulators and industry advertising bodies have published further recommendations on the relationship between the legal basis of legitimate interests, as provided by Article 6(1)(f) of the GDPR, and the installation and use of cookies.

In particular, the French data protection authority ('CNIL'), after having released new guidelines and recommendations on the use of cookies in 2020, addressed the issue of legitimate interest in its FAQs on the guidelines and recommendations. More specifically, CNIL notes that is necessary to distinguish:

  • the deposit and reading of cookies on the user's terminal device: for these operations the legislation implementing the ePrivacy Directive (Article 82 of the Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended)) requires the prior consent of the user, subject to the above-mentioned exceptions.
  • the processing operations carried out on the bases of the data obtained through cookies and tracking technologies: for these operations one of the legal basis provided by Article 6 of the GDPR must be met. In this regard, CNIL recalls that the European Data Protection Board ('EDPB') generally considers consent as the most appropriate legal basis in the context of processing carried out for advertising purposes. However, CNIL also reminds that it is up to each data controller to determine, on a case-by-case basis, the most suitable legal basis for the data processing activity.

In conclusion, CNIL stresses the fact that even when the data controller considers a processing based on legitimate interests for the data he/she collected via cookies, such processing activity will only be possible if the cookies have been accepted for that specific purpose, as in case of refusal the data could not be collected in the first place.

The UK Information Commissioner Office ('ICO') also addressed the topic of legitimate interests as a valid legal basis in relation to cookies in its guidance on the relationship between cookies and the GDPR. Specifically, the ICO recalls that if cookies require consent under PECR (the UK cookie legislation), then organisations cannot use one of the alternative lawful bases from the GDPR to set them.

Therefore, if the cookies that are set are not exempt from Section 6 of PECR, then only consent can be used, and the same must meet the UK GDPR standards. This is also the case whether or not personal data is involved. After having obtained consent in compliance with PECR, then in practice consent is also the most appropriate lawful basis under the UK GDPR. The ICO notes that trying to apply another lawful basis such as legitimate interests when UK GDPR-compliant consent has been already collected would be an unnecessary exercise and would create confusion for users. On the other hand, if the use of cookies falls under one of the exemptions under PECR, then the consent requirement does not apply. Therefore, the technical process of storing or accessing information on the device falls out of PECR and, where personal data is involved, the UK GDPR will apply.

In relation to the use of cookies and the processing of personal data within real time bidding ('RTB') processes, the ICO stressed in its update report into ad tech and real time bidding that, when organisations try to apply legitimate interests as a legal ground after consent has been already collected, they would also need to ensure that they had both valid consent and had also fulfilled all of the legitimate interest requirements. This could also imply an element of unfairness, such as in cases where individuals understand their personal data is processed on the basis of consent, yet once they withdraw that consent, the organisation then continues to process via legitimate interests. Therefore, and in relation to RTB, the ICO concludes that the nature of the processing within RTB makes it impossible to meet the legitimate interests' lawful basis requirements, meaning that legitimate interests cannot be used for the main bid request processing. In conclusion, the ICO considers that the only lawful basis for 'business as usual' RTB processing of personal data is consent (i.e. processing relating to the placing and reading of the cookie and the onward transfer of the bid request).

The Italian data protection authority further addresses the topic within its latest cookie guidelines, stating that the legitimate interest of the data controller will not be a viable lawful ground for the use of cookies and other tracking instruments, as the applicable law does not address further legal bases that could make the processing activity lawful, other than the data subject's consent or in the case of exceptions to the same, in case of technical cookies.

The EDPB also expressed its view on the interaction between consent and other lawful grounds for processing in its guidelines on consent under the GDPR. The EDPB, after recalling the obligation of respecting data subjects' choice in relation to the withdrawal of consent, further outlines that 'sending out the message that data will be processed on the basis of consent, while actually some other lawful basis is relied on, would be fundamentally unfair to individuals.'

Therefore, the EDPB notes that the controller cannot swap from consent to other lawful bases, as in the case of a controller experiencing problems with the validity of consent and therefore retrospectively utilising the legitimate interest basis in order to justify the processing. Controllers must in fact have decided in advance of collection what the applicable lawful basis is.

The EDPB further addressed the issue of the most appropriate legal basis for processing personal data obtained through cookies within its Guidelines 8/2020 on the targeting of social media users. The EDPB notes that any subsequent processing of personal data, including personal data obtained by cookies, social plug-ins or pixels, must have a legal basis under Article 6 of the GDPR, and that, in the case of processing of observed or inferred data, legitimate interest cannot act as the appropriate legal basis, as the targeting relies on the monitoring of individuals' behaviour across websites and locations using tracking technologies. In such circumstances, the appropriate legal basis for any subsequent processing is likely to be the consent of the data subject.

The International Working Group on Data Protection in Technology ('the Berlin Group') also briefly touched on the use of legitimate interests as a lawful legal ground within the digital advertising ecosystem. Specifically, the Berlin Group outlined in its Working Paper on the Risks emerging from the Tracking and Targeting Ecosystem in the Digital Advertising Market that, although legitimate interest can be the legal basis for processing personal data under a number of legal frameworks, it must always be considered that it also requires a balance of interests between the ones of the controller and the data subject's privacy interests. Therefore, questions arise in the context of digital advertising in relation to individuals' reasonable expectation, especially for profiling-related processing of personal data. In fact, as the majority of players in the digital advertising ecosystem do not have direct relationship with individuals, and considering the severe interference with fundamental privacy rights of these practices, it is doubtful whether the legitimate economic interests of the players of the advertising ecosystem can prevail.

The discussion around the use of legitimate interests for the use of cookies has also been undergoing within the guidance provided by industry advertising bodies such as IAB Europe. In particular, IAB Europe published its GDPR guidance on legitimate interests' assessments for digital advertising in early 2021. The guidance recognises the existence of concerns that legitimate interest is being considered by subjects in the industry to be the 'easy' alternative to consent, and that legitimate interests' assessments are being done as a pro forma exercise. Therefore, one key purpose for the guidance is to help establish a common understanding of how a properly thorough legitimate interests' assessment has to be done in the digital advertising ecosystem.

Specifically, and in relation to the use of cookies, the guidance provides that, although legitimate interests can be relied upon as a legal basis to process personal data, organisations always need to balance these interests with the rights and interests of the individual. In particular, they should be aware of regulators' views on the use of legitimate interests in relation to digital advertising, as 'legitimate interests cannot be used as a basis for setting cookies, and where processing of personal data is dependent on non-essential cookies, which require consent, that consent is a prerequisite to the subsequent processing.'

The guidance goes on and provides that organisations should be cautious in relation to data collected in association with cookies, as well as that tracking technologies require the provision of clear and comprehensive information to users, as well as consent (as defined by the GDPR) for their use. This is a developing area of law, but there is a need to ensure that subsequent processing of data collected with cookies is disclosed and otherwise taken into account in legal basis analyses.

However, and in relation to the position of vendors within the IAB TCF, it must also be considered that legitimate interests is included within the definition of legal basis as provided by the TCF's policies, which provide that the processing's legal basis may be consent, in accordance with Article 6(1)(a) of the GDPR, or legitimate interests, in accordance with Article 6(1)(f) of the GDPR.

More specifically, the TCF includes legitimate interests as one of the vendor's potential legal basis (alternatively with the user's consent) for the following processing purposes:

  • select basic ads;
  • create a personalised ads profile;
  • select personalised ads;
  • create a personalised content profile;
  • select personalised content;
  • measure ad performance;
  • measure content performance;
  • apply market research to generate audience insight;
  • develop and improve products;
  • ensure security, prevent fraud, and debug; and
  • technically deliver ads or content.

However, the TCF also notes that, in addition to complying with relevant data protection laws, vendors wishing to rely on their legitimate interest for the processing of personal data are only allowed to do so if:

  • they can verify that the appropriate information has been provided to the user at the time that the processing of his/her personal data begins; and
  • the user has not exercised his/her right to object to such processing.

For further information on the TCF, see the Guidance Note EU - Transparency & Consent Framework.

    Transparency & Cookie Policy

    1. What are the language requirements for cookie notices and privacy policies in the EU?

    In order to respect the principle of transparency, as provided by article 5(1)(a) of the GDPR, which requires any processing of personal data to be to be carried out 'in a transparent manner,' Article 7(2) of the GDPR provides that if the data subject’s consent is given in the context of a written declaration, the request for consent shall be presented using clear and plain language. Article 12(1) of the GDPR also requires the controller to take appropriate measures to provide any information referred to in Articles 13 and 14 of the GDPR in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

    In addition, the WP29, in its Guidelines on transparency, recommends the data controller to ensure that, when the data controller provides privacy notices in different languages, the translations are accurate and reflect each other in the content. The WP29 also suggests translating the privacy notice in the language of the targeted data subjects.

    European regulators also expressed their view on the language requirements of privacy notices and cookie policies. For example, the Spanish AEPD guide on cookies addresses the topic of cookie policy transparency in relation to third parties. In particular, it says that, when the website publisher provides information about third-party cookies through a link to a third party website, it must ensure that the third party is responsible for ensuring that any information provided by such links is displayed in Spanish or in any other language with co-official status in Spain.

    In addition, the Belgian data protection authority provides that the information included in the cookie policy must be written in a language easy to understand for the targeted audience. In practice, if the website is aimed at a French-speaking and/or Dutch-speaking audience, the information must be provided in French and/or Dutch.

    Cookie Retention

    1. Is there any guidance to rely on in relation to cookies retention? How should organizations address the principles of necessity and proportionality within their business functions?

    In relation to the European landscape, as the storing of cookies or similar tracking technologies imply the processing of personal data in most of the cases, the GDPR's provisions related to data retention must be taken into account. In particular, although the GDPR does not provide for specific retention periods in relation to personal data, Recital 39 and Article 5(1)(e), introducing the principle of storage limitation, state:

    'The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, […] ensuring that the period for which the personal data are stored is limited to a strict minimum. […] In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review'.

    'Personal data shall be […] kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed […]'.

    Therefore, when processing personal data through the use of cookies or other similar technologies, a data controller must retain the data for a period that must be balanced with the purpose of the processing and cannot be retained for longer than what is necessary to achieve the purpose of the processing. In this regard, an assessment of the principles of necessity and proportionality to the specific circumstance is key for organisations using cookies. In practice, the data controller must be sure that the use of cookie is proportionate in relation to his/her intended outcome and limited to what is necessary to achieve the purpose of processing. In any case, the data controller will also need to be able to justify the necessity of a given retention period, according to the principle of accountability.

    From a business perspective, organisations should also consider that implementation of retention periods will reduce the risk that it becomes irrelevant, excessive, inaccurate or out of date. In addition, holding more personal data than what is needed may be inefficient, and as a result, operators might face unnecessary costs in relation to storage and security.

    With specific reference to cookies and similar technologies, there is not a pan-European cookie retention period prescribed by law. However, several European regulators have provided more detailed guidance on the topic, offering organisations indications for the application of the general principles.

    In this regard, a distinction must be drawn between cookies requiring the consent of the user and cookies that are exempted from this requirement, in accordance with the ePrivacy Directive. In relation to cookies not requiring the user's consent, the former WP29 recalled in its Opinion 04/2012 on Cookie Consent Exemption that exempted cookies should have a lifespan that is directly related to the purpose they are used for, and must be set to expire once they are no longer needed, taking into account the reasonable expectations of the average user. This suggests that these cookies should be likely be set to expire when the browser session ends, if not earlier.

    However, the WP29 also reminds that, while login cookies are typically set to expire at the end of a browser session, cookies aimed to ensure the user's security are expected to have a longer lifespan in order to fulfil their security purpose.

    Organisations must also keep in mind their transparency obligations in relation to the retention of cookies. The CJEU upheld in the Planet49 case that the cookie notice must include, among other things, information on the lifespan of cookies. In fact, the duration of the operation of cookies must be deemed as included in the clear and comprehensive information which must be provided to the user in accordance with Article 5(3) of the ePrivacy Directive. In addition, it must also be recalled that Article 13(2)(a) of the GDPR provides that the controller must, in order to ensure fair and transparent processing, provide the data subject with information relating, inter alia, to the period for which the personal data will be stored, or if that is not possible, to the criteria used to determine that period.

    Lastly, organisations should also take into consideration that certain EU Member States’ data protection authorities produced guidance in relation to cookies retention, offering a non-harmonised outlook in terms of prescribed periods. Therefore, organisations must consider, on the basis of their business location, coverage, and audience, the differences between the different regulators' guidelines. Some of this key guidance on cookies retention is discussed briefly below.


    The DPA highlights that cookies stored on the user's terminal equipment cannot be stored beyond the period necessary to achieve the intended purposes. Therefore, the retention period must not be set as indefinite, and must also take into account the reasonable expectations of the user. Information collected and stored in a cookie, as well as information collected following the access of a cookie, should be deleted when they are no longer necessary in relation to the purposes of processing.


    CNIL provides that, in relation to audience measurement cookies, they must not have a lifespan exceeding 13 months, and this period must not be automatically prolonged. In addition, information collected by the above cookies must be retained for a maximum period of 25 months.

    CNIL also notes that the user's preference/choice (consent or refusal) may be retained for a period of 6 months.

    In this regard, CNIL provides that websites, which generally keep the consent for a certain period of time, also should keep in the same way the refusal of users, in order not to re-interrogate the user at each visit. In fact, failure to keep users' choices would result in users being presented with a new banner on every visited webpage, which would affect the freedom of their choice.


    The DSK Guidance on Telemedia Providers states that shorter lifespans are more likely to meet the requirements of the balance of interests test between service providers and users under Article 6(1)(f) of the GDPR.


    The DPC Guidance Note on Cookies and other tracking technologies provides that the expiry date of a cookie should be proportionate to its purpose. Session cookies, for example, which are designed to only function for the duration of a browser session or slightly longer, are likely to have a very short lifespan and to be set to expire once they have served their limited purpose.


    Cookie retention periods are not provided in the law. However, the AEPD recommends renewing users' consent at regular intervals. In particular, it is considered good practice to consider the consent granted by users regarding a specific cookie valid for a period of no longer than 24 months. During this time, users' preferences may be stored so they are not asked to set them up again every time they visit the relevant page.


    The ICO recalls that cookie retention depends on the purpose of the cookie. It must be ensured that the use of cookie is proportionate in relation to the intended outcome and limited to what is necessary to achieve the purpose of processing, which is likely to lead towards the determination of the duration.

    Ad Tech

    1. What is the role that actors (publishers, CMPs, vendors etc.) of the ad tech ecosystem assume in relation to the concepts of data controller, data processor and joint controllership under the GDPR? In practice, what are the elements to be take into account when assessing the role and responsibilities of organizations operating in the ad tech environment?

    The advertising technology (ad tech) ecosystem is a complex digital marketing environment consisting of each component necessary to manage digital advertising campaigns for demand and supply-side platforms. The ICO defines it in its Update report into ad tech and real time bidding as a set of tools that analyse and manage information (including personal data) for online advertising campaigns and for the automation of the processing of advertising transactions. The concept of ad tech covers the end-to-end lifecycle of the advertising delivery process, which often involves engaging third parties for one or more aspects of the services. In particular, the ad tech environment underpins real time bidding (RTB) as one of the most used programmatic advertising techniques (see the Part 1 of this Handbook for further information on RTB), where advertisers are allowed to compete for available digital advertising space in milliseconds, placing online adverts on webpages and apps by automated means.

    Where ad tech actors process personal data for the purpose of online advertising, the applicable data protection regulations will have to be taken into account. In particular, it can be challenging, within such a complex ecosystem, to understand and assign to subjects active in ad tech their data protection roles and responsibilities, as presented by the GDPR. In fact, the following several operators, among others, act within the ad tech ecosystem and share data among themselves for the purpose of targeted online advertising:

    • publishers/website operators
    • advertisers
    • ad network providers
    • advertising exchanges
    • demand side platforms (DSPs)
    • supply side platforms (SSPs)
    • data management platforms (DMPs)
    • consent management platforms (CMPs)

    In this regard, although the European regulators produced recommendations on how to identify and appoint data controller, processors, and joint controllers under the GDPR, the practical application of this guidance to the ad tech environment is still partially unexplored.

    The EDPB addresses the concepts of controller, processor and joint controllership in its Guidelines 07/2020 on the concepts of controllers and processors in the GDPR, currently under public consultation. However, the only reference to the advertising sector contained in the guidelines is in relation to certain processing activities that can be considered as naturally attached to the role or activities of an entity. In this case, existing traditional roles and professional expertise that normally imply a certain responsibility will help in identifying the controller, such as in the case of a publisher processing the personal data of its subscribers. When the publisher processes personal data as part of its interactions with its own customers, it will have to be considered as the subject who factually can determine the purpose and means around the processing and will therefore act as a controller.

    The role of ad tech actors is not otherwise mentioned in the guidelines and must therefore be reconstructed indirectly from the general definitions, as interpreted by the EDPB.

    In addition, the WP29 addressed the roles of ad tech actors in relation to cookie obligations in its Opinion 2/2010 on online behavioural advertising, which, although referring to a pre-GDPR legal landscape, still presents elements of interest. Specifically, the WP29 provides recommendations in relation to the following subjects involved in behavioural advertising practices:

    • Ad network providers
    • Publishers
    • Advertisers

    Ad network providers: Considering that Article 5(3) of the ePrivacy Directive considers irrelevant whether the entity placing the cookie is data controller or processor, the WP29 considers ad network providers obliged to obtain the user's informed consent in the context of behavioural advertising. In addition, if the behavioural advertising activity entails processing of personal data, the ad network provider will assume the role of data controller. In fact, ad network providers:

    • 'rent' space from publishers' web sites to place ads.
    • set and read cookie-related information and collect other data that the browser may reveal.
    • use the information gathered to build profiles and deliver ads.

    Publishers: Publishers rent out space on their websites for ad networks to place adverts. In practice, they set up their web sites in a way that visitors' browsers are automatically redirected to the webpage of the ad network provider. Therefore, the WP29 notes that they should be aware that by entering into contracts with ad networks and providing them with visitors' personal data, they assume responsibility towards their visitors. The breadth of their responsibility, including the extent to which they become data controllers, should be analysed on a case by case basis depending on the particular conditions of collaboration with ad network providers, as reflected in the service agreements.

    Advertisers: Advertisers can track the campaign resulted in the click-through when visitors click on ads and visit their website. When the advertiser captures certain targeting information, such as demographic data or an interest group, it can combine the same information with the data subject's onsite surfing behaviour or registration data. In this case, the WP29 outlines that the advertiser will assume the role of independent data controller for the relevant part of the data processing.

    From a national standpoint, CNIL also addressed the roles and responsibilities of subjects involved in the use of cookies and similar technologies in its recently finalised recommendation on cookies. In particular, CNIL establishes that the publisher and the third party must be considered joint controllers for the placement of cookies when they jointly determine the purpose and means of processing, as clarified by the EU Court of Justice in the Fashion ID case. In this case, the two parties will have to establish their respective obligations under Article 26 of the GDPR, with specific reference to the collection and proof of consent.

    In addition, and from an industry perspective, IAB Europe's TCF Policies also provides some general recommendations for the establishment of roles and responsibilities of digital advertising actors. In particular, the Policies provides that vendors, i.e. companies that participates in the delivery of digital advertising within a publisher's website, app, or other digital content, may be considered under the GDPR as controllers, processors, or both, depending on the specific circumstances of the case.

    In relation to the same, IAB Europe's Mobile In-App CMP API v1.0: Transparency & Consent Framework, which represents a specification dependent on the TCF dedicated to global interfaces within the mobile ecosystem of an app, also provides for an indication of vendors roles and responsibilities. Specifically, when vendors, among other actions, collects or receives personal data about the publisher's end users, they don't necessarily need to assume the role of controllers.

    In practice, the following general recommendations can be considered when assigning roles and responsibilities to ad tech actors, always taking into consideration that roles under the GDPR cannot be assigned a priori, but must always follow a case by case assessment, also considering that a single subject may adopt more than one role.

    • The publisher, who sell space on its website for the placement of targeted advertising, as well as the advertiser, will likely assume the role of controllers, as outlined above.
    • Ad networks will likely assume the role of controllers, as outlined above.
    • DMPs, used by publishers to examine data they retain in relation to their potential and current clients, may assume both the role of controller and processor, depending on the circumstances. For example, it will have to be considered in concrete whether the DMP provides itself data coming from third parties or limits itself to facilitating the acquisition of third-party data.
    • CMPs, used by publishers to manage users' consent and marketing preferences, will in principle assume the role of processor. However, a case by case approach must be adopted in relation to the processing activities carried out by the CMP.

    How OneTrust Helps

    1. Does OneTrust have a solution for the IAB TCF?

    The IAB Europe’s Transparency and Consent Framework ('TCF') is a GDPR consent solution built in order to create an industry- standard approach. The objective of the TCF is to help all parties in the digital advertising chain ensure that they comply with the GDPR and the ePrivacy Directive when processing personal data or setting cookies and other tracking technologies.

    The TCF creates an environment where website publishers can tell visitors what data is being collected and how their website and companies they partner with intend to use it. In addition, the TCF addresses, among other things, the presence of CMPs as an instrument to lawfully obtain and record consent.

    Recently, IAB Europe announced the launch of its TCF v2.0. In particular, the TCF v2.0 introduced several improvements in order to:

    • enables consumers to grant or withhold consent, as well as to exercise the ‘right to object’ to data being processed;
    • enable consumers to gain greater control over whether and how vendors may use certain features of data processing, for example, the use of precise geolocation; and
    • enable publishers to gain extended control and flexibility with respect to how they integrate and collaborate with their technology partners.

    In relation to CMPs, the TCF v2.0:

    • enable CMPs to capture, store, and signal consent in an industry-standard manner;
    • enables CMPs to receive global consents obtained by other publishers and CMPs;
    • records which vendors are operating in the TCF and the purposes that they wish to process personal data for, in order to update the user interface and inform users accordingly; and
    • informs CMPs when vendors use legitimate interest or consent as a legal basis for processing personal data, so that users can be informed accordingly.

    OneTrust, after working closely with IAB Europe, recently announced that the OneTrust Consent Management Platform (CMP) is officially TCF v2.0 approved. Publishers can use the OneTrust CMP to switch to v2.0, and access resources, tools, and templates only available to OneTrust customers. OneTrust recently launched a free tool for publishers to build and deploy an IAB Transparency and Consent Framework v2.0 (TCF 2.0) CMP for free and in just a few steps.