Probably not.
A cookie can qualify as “personal data” under GDPR when it can be linked to an individual person. Even in instances where a cookie cannot be linked, it is still governed by the ePrivacy Directive and implementing legislation such as the United Kingdom’s Privacy and Electronic Communications Regulations (“PECR”). With respect to first party session cookies, both regimes permit the installation of such cookies by a website without consent.
Recent guidance from the Information Commissioner’s Office1 (the “ICO”) distinguishes between first party “session” cookies, and other cookies (like data analytics cookies or behavioural advertising cookies). The guidance concludes that, while consent is required for analytics and behavioural advertising cookies, first party “session” cookies can be exempted from the consent requirement when they are “strictly necessary” for the functioning of the web site. Such functions can include user input features (like remembering shopping basket contents or the contact details in a form), authentication and security features (such as detecting repeated, failed login attempts), and network management cookies (to help the site run properly). These are just a few examples.
Where the ePrivacy Directive applies, these cookies may be installed on a user’s machine without obtaining prior consent (and thus a cookie banner seeking opt-in consent is unnecessary), although a website operator should provide notice online that such cookies are being installed, either in a privacy policy or a cookie policy. Likewise, while GDPR does not specifically mandate that the use of cookies be disclosed in real time as part of a cookie banner, a website operator is required to disclose its privacy practices and the fact that it is collecting personal information “at the time when personal data are obtained.“2 As a result, the use of a cookie banner, or a persistent online link to a company’s privacy notice, should be consistent with the GDPR so long as those documents describe the basis for processing of the personal data through the use of cookies. Assuming that consent has not been solicited, that basis is likely to be either the legitimate interest of the controller (e.g., to provide a functional website to the public) or the performance of a prospective contract (e.g., to take steps at the request of the data subject prior to entering a contract or transaction).
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
(published 3 July 2019).
2. GDPR, Article 13(1).
[View source.]
