Cookie consent and exemptions: which legal basis to use?

Cookies have been the centre of many discussions ever since data privacy laws were enacted. We’ve seen many websites introducing cookie banners and making them more and more compliant (e.g. by introducing a ‘reject all’ button and making it equal to the ‘accept’ button). 

By now, you probably got the whole point about what cookies* are and how they are linked to the GDPR. However, there are still a few confusions related to what types of cookies need consent from the users.

1. What are the types of cookies?

All cookies can be divided into two categories:

  1. Strictly necessary (or ‘essential’) cookies - the types of cookies which are used by your website to function properly, i.e. without them the site would not work. ‘Strictly necessary’ also includes what is required to comply with any other legislation that applies to you, for example, the security requirements of data protection law. Examples may include cookies used for authentication, to track user input for e.g. a shopping basket or completing a form or to detect repeated failed login attempts.
  1. All other cookies that are unnecessary (or ‘non-essential’) - the types of cookies which are not necessary for your website’s basic functionality, i.e. if these cookies are disabled, the website will still function smoothly and users can access your service. For example cookies used for social media tracking (analytical cookies) or online advertising (marketing cookies) are not essential. 

2. Which types of cookies require consent?

As per the cookie laws  (e.g. “PECR” - Privacy and Electronic Communications Regulations, ePrivacy Directive, etc), you must ask for your website users’ consent to use cookies that are not necessary for accessing the website’s functionality. This applies even if cookies are not collecting personal data. Since there is no definition of consent given in the cookie laws, the GDPR requirements for consent apply - i.e. consent must be freely given, specific, informed and unambiguous.

In respect of cookies, this means that:

  • the user must take a clear action to give their consent – continuing to use your website does not constitute valid consent;
  • you must clearly inform users about what your cookies are and what they do before they consent to them being set;
  • if you use any third party cookies, you must clearly and specifically name who the third parties are and explain what they will do with the information;
  • you cannot use any pre-ticked boxes for unnecessary cookies; and
  • you must ensure that any unnecessary cookies are not placed on your landing page (and similarly that any non-essential scripts or other technologies do not run until the user has given their consent).

Also, if you say a cookie is strictly necessary because it fulfils a purpose (such as e.g. security) you must ensure that your use is only for that purpose. If you use any information for secondary purposes (such as e.g. analytics), the cookie would not be regarded as strictly necessary and you would then need consent.

3. What is the legal basis for necessary cookies?

You should provide clear information about all cookies including those that are strictly necessary, and, if personal data is involved, then you will be required to specify the legal basis for using those cookies. 

Consent is not the only legal basis and for strictly necessary cookies you can rely on others which are set in Art 6 GDPR. The most commonly used legal basis for setting strictly necessary cookies are:

  • Legitimate interest (Art 6.1 (f) GDPR) - e.g. for setting a cookie that helps ensure that the content of a page loads quickly and effectively;
  • Contract (Art 6.1 (b) GDPR) - e.g. for setting a cookie used to carry out a payment or to add goods to a shopping basket;
  • Legal obligation (Art 6.1 (c) GDPR) - e.g. for setting a cookie that is essential to comply with the security requirements, for example in connection with online banking services.

Regardless of which legal basis is chosen, it is important you provide clear and transparent information to your users about the processing of their personal data. With Openli’s Cookie solution you have the ability to add a legal basis according to the GDPR to each cookie directly in your cookie banner. 

* The term ‘cookies’ is used to refer to cookies and similar technologies, such as tracking pixels, scripts, plugins, fingerprinting techniques and any other technology that stores or accesses information on the user’s device.