The Cookie Law and its relation to the GDPR
Article 5(3) of the ePrivacy Directive (colloquially known as the "Cookie Law") requires EU Member States to introduce legislation that prescribes the obtaining of the user's consent before an information society service (like a website) is allowed to place cookies. Only under two narrowly defined exceptions, consent is not required, namely: (i) cookies, whose sole purpose is to carry out the transmission of communication, or (ii) cookies, which are strictly necessary to provide the requested service.
Following the enactment of the GDPR, regulators and commentators debated the relationship between the Cookie Law and GDPR. Would it be possible to invoke, by reference to art. 6 GDPR, a different legal basis than consent for placing a cookie? In particular, was it permitted to rely on legitimate interest according to art. 6(1)(f) GDPR? Early statements by the German regulators indicated that this was indeed possible (although not in relation to tracking cookies).
Opinion of the EDPB
However, the present opinion issued by the EDPB now confirms that the Cookie Law is a special rule that will take precedence over the general rules of the GDPR. What this means, in essence, is that consent is the only legal basis upon which cookies (other than those which are strictly necessary from a technical perspective) can be justified. Legitimate interest cannot be relied upon in the context of cookies.
At the same time, the EDPB recognizes that the implementation and the enforcement of the Cookie Law is a question of national law. This means that regulators entrusted with enforcing the ePrivacy Directive cannot rely on the powers provided by the GDPR to sanction non-compliance with the Cookie Law.
Specifically, ePrivacy regulators do not derive the power to issue financial penalties from the GDPR. Fines, if any, that can be imposed for a breach of the Cookie Law are accordingly a matter of national law and not the GDPR. National law will, therefore, dictate the maximum exposure a company faces when it does not obtain valid consent before placing a cookie. In many instances, violating the Cookie Law will carry a lower maximum fine than breaching the GDPR.
Nevertheless, all website operators who operate in the European Union should carefully examine whether their processes for placing cookies is in line with the ePrivacy Directive to avoid potential sanctions. This is, even more, the case given that the ePrivacy Regulation, which will replace the ePrivacy Directive and aim to align the Cookie Law and the GDPR, is far from being agreed and will not likely enter into force before 2021.
We will discuss this and other current data protection topics during our event in Zurich on May 16, 2019: GDPR – One Year Later. You may find more information here.