Why cookie consent is not enough for GDPR compliance?

Is GDPR about cookie consent? No. The common misbelief is that compliance on digital properties equals cookie consent. Cookie usage and its related consent acquisition are not governed by the GDPR, but by the ePrivacy Directive.

The requirement of getting consent for cookie usage concerns the storing of information (or the gaining of access to information already stored) in someone’s terminal.

Website cookies are caught, but so are many other bits of data that can be processed. Even though popular, cookies are simply a storage mechanism and they do nothing (unlike the software that uses them). There are also beacons, device fingerprints, tracking pixels, scripts, local storage and a lot more you probably didn’t know of.

It is important to know that for each external resource loaded on a webpage (including a simple font from Google Fonts to make your website prettier) you automatically force the browser to pass information to those third parties’ servers including: IP address of your visitor, currently visited page, browser type, version, device type, operating system, language settings of the browser, plus all the cookies set by that respective domain in the user’s browser. There is nothing wrong with that, as this is how the entire web was constructed. However, according to GDPR some of these data points qualify as personal data and you should make your users aware.

GDPR is not about cookies, but about who set the cookies and what for.

It is all about who processes, what information about the user, for what purpose(s), how and where is the data handled, who can access it, and who benefits of this data being processed.

In most cases your reasons to process data are valid, and users will understand and allow you to do so. But they need to know what’s happening and be asked if they’re OK with that, as some of these types of processing require explicit consent from them.

What you should know is that most of the apps you use for marketing purposes do profiling and automated decision-making (including the very popular Facebook Pixel, Google Ads, machine-learning enabled applications to recommend products, various codes/tags you get from your agency or retargeting services). And these applications don’t solely rely on cookies, but other tracking means and storage mechanisms as well.

EDPS (European Data Protection Supervisor) provides a complex classification of tracking technologies (cookies, device fingerprinting, local storage etc.) and explains that all records containing identifiers, including IP addresses, which can be used to single-out users, are considered as personal data and must be managed and protected as such.

It is also about the companies processing user data and the purpose of each processing operation.

The tracking technologies and applications are just the means to do it. What really matters is the impact that data processing has on individuals. They have the right to know and agree/ object.

That’s why the user has to consent to certain purposes (not cookies!), while being informed on all the processing details (the identity of the controller or joint controllers, processors and recipients, the purpose, data that will be collected and used, the fact that the user has the right to withdraw consent, information regarding the use of data for profiling and automated decisions etc.)

Let’s review a bit:

  • Current level of technology is not limited to cookies to track people.
  • Know and tell the user who is processing, what data and to what purpose.
  • You should not ask consent for cookies, but for processing purposes.
  • Ask consent before running those applications on your website.

Shameless self-promo:

Avandor Consent is not a cookie consent solution, nor a “cookie-based” one. It focuses on data processing flows, and automatically recognizes what applications are being used on a site and what companies are doing the processing. There’s a lot more about tracking technologies that our specialists can tell you once you start deploying Avandor Consent Manager. Find out more here.

Georgiana Bedivan

Head of Compliance

We've struggled to understand GDPR so you won't have to. Learn from our experience →

We've asked a Data Protection Authority for answers on digital processing...

Since everyone is scared by penalties, we wrote and asked the Romanian Data Protection Authority (ANSPDCP) some questions about how GDPR will apply to the online processing. Here's what they had to say...

read more

What's wrong with cookie consent?

The common misbelief is that compliance on digital properties equals cookie consent. But the truth is that GDPR is not about cookies, but about who set those cookies and what for.

read more

10 steps to make your site compliant

Some have tried with cookie consent, others with implicit consent like "by continuing to use this website...", and others simply closed their sites to European citizens.

read more

What makes valid consent under GDPR?

Consent is just one of six lawful bases to process personal data, as listed in the GDPR. It may not always be necessary, but when it is, you have to make sure it is properly obtained and stored.

read more

Data controller vs. processor? Who's who

Although GDPR’s definition of the two may seem simple and concise, marketers are still having a hard time trying to figure out who’s what, especially when it comes to automated processing technologies.

read more

Profiling and automated decisions under GDPR

As site owners’ challenge these days is to ensure compliance on digital assets, you should know that most of the apps and technologies you use for marketing purposes do profiling.

read more

GDPR myths and misconceptions

Starting with May 25th, a lot of misinformation regarding GDPR has been spread so understanding the basic principles of this new regulation and how to get compliant proved to be overwhelming.

read more

Using Facebook pixel on your site?

As per today’s practices you can’t really help but using Facebook as part of your marketing strategy. However, the question that arises since the 25th of May is who is responsible for obtaining consent.

read more

Looking for the right consent solution?

Discover Avandor Consent

see features & benefits →

Need help navigating GDPR compliance?

We're happy to assist you with free advice

get in touch →

Your details:

Your interest:

Your Message:

by submitting this form you consent to our use of your data

For more information or a demo call +4072 893-9780 or get in touch.