From a European regulatory perspective, it must firstly be noted that the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') details that the use of cookies and other similar tracking technologies can only be allowed on the condition that the subscriber or user concerned has given his/her consent, after having received clear and comprehensive information, with the exception of cookies that are strictly necessary for the operation of the website/application.

Recently, both European data protection regulators and industry advertising bodies have published further recommendations on the relationship between the legal basis of legitimate interests, as provided by Article 6(1)(f) of the GDPR, and the installation and use of cookies.

France

In particular, the French data protection authority ('CNIL'), after having released new guidelines and recommendations on the use of cookies in 2020, addressed the issue of legitimate interest in its FAQs on the guidelines and recommendations¹. More specifically, CNIL notes that is necessary to distinguish:

• the deposit and reading of cookies on the user's terminal device: for these operations the legislation implementing the ePrivacy Directive (Article 82 of the Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended)) requires the prior consent of the user, subject to the above-mentioned exceptions.
• the processing operations carried out on the bases of the data obtained through cookies and tracking technologies: for these operations one of the legal basis provided by Article 6 of the GDPR must be met. In this regard, CNIL recalls that the European Data Protection Board ('EDPB') generally considers consent as the most appropriate legal basis in the context of processing carried out for advertising purposes. However, CNIL also highlights that it is up to each data controller to determine, on a case-by-case basis, the most suitable legal basis for the data processing activity.

CNIL goes on to stress the fact that, even when the data controller considers a processing based on legitimate interests for the data he/she collected via cookies, such processing activity will only be possible if the cookies have been accepted for that specific purpose, as in cases of refusal, the data could not be collected in the first place.

UK

The UK Information Commissioner Office ('ICO') also addressed the topic of legitimate interests as a valid legal basis in relation to cookies in its guidance on the relationship between cookies and the GDPR². Specifically, the ICO recalls that if cookies require consent under PECR (the UK cookie legislation), then organisations cannot use one of the alternative lawful bases under the GDPR to set them.

Therefore, if the cookies that are set are not exempt from Section 6 of PECR, then only consent can be used, and the same must meet the UK GDPR standards. This is also the case whether or not personal data is involved. After having obtained consent in compliance with PECR, then in practice, consent is also the most appropriate lawful basis under the UK GDPR. The ICO notes that trying to apply another lawful basis such as legitimate interests when UK GDPR-compliant consent has been already collected would be an unnecessary exercise and would create confusion for users. On the other hand, if the use of cookies falls under one of the exemptions under PECR, then the consent requirement does not apply. Therefore, the technical process of storing or accessing information on the device falls out of PECR and, where personal data is involved, the UK GDPR will apply.

In relation to the use of cookies and the processing of personal data within real-time bidding ('RTB') processes, the ICO stressed in its update report into adtech and RTB³ that, when organisations try to apply legitimate interests as a legal ground after consent has been already collected, they would also need to ensure that they had both valid consent and had also fulfilled all of the legitimate interest requirements. This could also imply an element of unfairness, such as in cases where individuals understand their personal data is processed on the basis of consent, yet once they withdraw that consent, the organisation then continues to process via legitimate interests. Therefore, and in relation to RTB, the ICO concludes that the nature of the processing within RTB makes it impossible to meet the legitimate interests' lawful basis requirements, meaning that legitimate interests cannot be used for the main bid request processing. In conclusion, the ICO considers that the only lawful basis for 'business as usual' RTB processing of personal data is consent (i.e. processing relating to the placing and reading of the cookie and the onward transfer of the bid request).

EDPB

The EDPB also expressed its view on the interaction between consent and other lawful grounds for processing in its guidelines on consent under the GDPR⁴. The EDPB, after recalling the obligation of respecting data subjects' choice in relation to the withdrawal of consent, further outlines that 'sending out the message that data will be processed on the basis of consent, while actually some other lawful basis is relied on, would be fundamentally unfair to individuals.'

Therefore, the EDPB notes that the controller cannot swap from consent to other lawful bases, as in the case of a controller experiencing problems with the validity of consent and therefore retrospectively utilising the legitimate interest basis in order to justify the processing. Controllers must in fact have decided in advance of collection what the applicable lawful basis is.

The EDPB further addressed the issue of the most appropriate legal basis for processing personal data obtained through cookies within its Guidelines 8/2020 on the targeting of social media users⁵. The EDPB notes that any subsequent processing of personal data, including personal data obtained by cookies, social plug-ins or pixels, must have a legal basis under Article 6 of the GDPR, and that, in the case of processing of observed or inferred data, legitimate interest cannot act as the appropriate legal basis, as the targeting relies on the monitoring of individuals' behaviour across websites and locations using tracking technologies. In such circumstances, the appropriate legal basis for any subsequent processing is likely to be the consent of the data subject.

Berlin Group

Furthermore, the International Working Group on Data Protection in Technology ('the Berlin Group') also briefly touched on the use of legitimate interests as a lawful legal ground within the digital advertising ecosystem. Specifically, the Berlin Group outlined in its Working Paper on the Risks emerging from the Tracking and Targeting Ecosystem in the Digital Advertising Market⁶ that, although legitimate interest can be the legal basis for processing personal data under a number of legal frameworks, it must always be considered that it requires a balance of interests between the ones of the controller and the data subject's privacy interests. Therefore, questions arise in the context of digital advertising in relation to individuals' reasonable expectation, especially for profiling-related processing of personal data. The Berlin Group highlights that, as the majority of players in the digital advertising ecosystem do not have direct relationship with individuals, and considering the severe interference with fundamental privacy rights of these practices, it is doubtful whether the legitimate economic interests of the players of the advertising ecosystem can prevail.

IAB Europe

Guidance provided by industry advertising bodies such as IAB Europe has also shed light on the matter. In particular, IAB Europe published its GDPR guidance on legitimate interests' assessments for digital advertising⁷ in early 2021. The guidance recognises the existence of concerns that legitimate interest is being considered by subjects in the industry to be the 'easy' alternative to consent, and that legitimate interests' assessments are being done as a pro forma exercise. Therefore, one key purpose for the guidance is to help establish a common understanding of how a properly thorough legitimate interests' assessment has to be done in the digital advertising ecosystem.

Specifically, and in relation to the use of cookies, the guidance provides that, although legitimate interests can be relied upon as a legal basis to process personal data, organisations always need to balance these interests with the rights and interests of the individual. In particular, they should be aware of regulators' views on the use of legitimate interests in relation to digital advertising, as 'legitimate interests cannot be used as a basis for setting cookies, and where processing of personal data is dependent on non-essential cookies, which require consent, that consent is a prerequisite to the subsequent processing.'

The guidance goes on to provide that organisations should be cautious in relation to data collected in association with cookies, as well as that tracking technologies require the provision of clear and comprehensive information to users, as well as consent (as defined by the GDPR) for their use. In addition, the guidance notes that there is a need to ensure that subsequent processing of data collected with cookies is disclosed and otherwise taken into account in legal basis analyses.

Matteo Quartieri Privacy Operations
[email protected]

1. Available at: https://www.cnil.fr/fr/questions-reponses-lignes-directrices-modificatives-et-recommandation-cookies-traceurs
2. Available at: https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/how-do-the-cookie-rules-relate-to-the-gdpr/#GDPR5
3. Available at: https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906-dl191220.pdf
4. Available at: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf
5. Available at: https://edpb.europa.eu/system/files/2021-04/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf
6. Available at: https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/publikationen/working-paper/2021/2021-IWGDPT-Working_Paper_tracking_eco_system.pdf
7. Available at: https://iabeurope.eu/wp-content/uploads/2021/03/IAB-Europe-GDPR-Guidance-Legitimate-Interests-Assessments-LIA-for-Digital-Advertising-March-2021.pdf