GDPR’s non-tracking cookie banners

This note outlines how an anomaly in European law will impact cookie storage and presents wireframes of permission requests for non-tracking cookies. 

Online media will soon find itself in an anomalous position. It will be necessary to apply the GDPR’s consent requirements to cookies that reveal no personal data, even though the GDPR was not intended to be applied in this way.^[1]

Recital 26 of the GDPR says that “the principles of data protection should … not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person…”.^[2]

Even so, a hiccup in the choreography of European Law making is creating an unexpected situation in which the GDPR’s conditions will apply to cookies that reveal or contain no personal data.

The Data Protection Directive currently sets out the conditions under which consent should be sought for the storage of cookies.^[3] However, this Directive will be repealed on 25 May 2018, before the forthcoming ePrivacy Regulation introduces new conditions for cookie consent.^[4]

The Commission had intended that both the GDPR (which repeals the Data Protection Directive) and the ePrivacy Regulation (which updates cookie consent conditions) would be applied on the same date. But now that the ePrivacy Regulation is considerably delayed, a provision of the GDPR that says references to the Data Protection Directive “shall be construed as references to this Regulation” will apply to non-personal data in cookies also.^[5]

Non-personal data are data that can not be related to an identifiable person. For example, there is no unique identifier, the data could relate to many people, and could not be used to single out an individual. As the European Court of Justice said in 2016, data are not personal “if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and manpower, so that the risk of identification appears in reality to be insignificant”.^[6]

The GDPR way of asking for consent does not neatly apply to data such as these, that are not personal. For example, the language of the GDPR’s requirements for consent refers explicitly to personal data concepts. Consider some of the important terms: “processing” is “any operation or set of operations which is performed on personal data or on sets of personal data…”.^[7] The word “processing” does not have this meaning where personal data are absent. Nor does the word “controller”, because a controller is “the natural or legal person … which … determines the purposes and means of the processing of personal data…”. ^[8] Similarly, “profiling” is “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects…”^[9].

Less friction

Therefore, although the GDPR provides for a very high standard of information to be presented with consent requests, as elaborated in a previous PageFair Insider note,^[10] there is considerably less friction when using the GDPR requirements to request storage permission for data that are not personal.

The following table shows what elements are relevant when the GDPR’s requirements for consent are applied to cookies that neither contain nor revel personal data, as opposed to when it is applied to any processing of personal data.

Information to accompany consent requests
GDPR consent requirements – items listed in Article 13	Cookies where there are no personal data	Any processing of personal data
the identity and the contact details of the controller[11] and, where applicable, of the controller’s representative;[12]	N/A (there is no controller)	Yes (where applicable)
the contact details of the data protection officer, where applicable;[13]	N/A (there are no personal data)	Yes (where applicable)
the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;[14]	N/A (there are no personal data being processed)	Yes
where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;	N/A	N/A
the recipients or categories of recipients of the personal data, if any;[15]	N/A (there are no personal data being shared)	Yes (where applicable)
where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.[16]	N/A (there are no transfers of personal data)	Yes (where applicable)
the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;[17]	N/A (there is no storage of personal data)	Yes
the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;[18]	N/A (there are no personal data)	Yes
where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;[19]	N/A (there is no processing of personal data)	Yes
the right to lodge a complaint with a supervisory authority;[20]	Yes	Yes
whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;[21]	N/A (there are no personal data)	Yes (where applicable)
the existence of automated decision-making, including profiling,[22] referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.[23]	N/A (there are no personal data)	Yes (where applicable)

As the table shows, the requirements for consent are considerably less demanding when used to request storage permission for non personal data, such as non-tracking cookies. This is because the GDPR was not intended to be applied in this manner. Below is a wireframe of a “storage permission” dialogue.

Storage permission

In this simple wireframe the question mark button reveals two informational buttons.

The “my data rights” button provides information about how to lodge a complaint with the supervisory authorities, which is required under Article 13, paragraph 2, d. The “What is stored” button describes the non-personal data stored on the device, providing assurance to the user that their consent will not impact their fundamental right to privacy or their fundamental right to data protection.

Note that this only applies where publishers and their adtech vendors scrupulously avoid the collection and any other processing of personal data, including all unique identifiers, as Perimeter Trusted Partners do. Otherwise, the GDPR’s consent requirements apply as normal.

The future

This anomalous situation will change when the ePrivacy Regulation is applied at some point in 2018 or later. The question is whether enough sensible pro-privacy businesses and NGOs will make the case for non-tracking cookies in the new Regulation. In late 2017 PageFair wrote to Members of the European Parliament to argue the case for permitting non-tracking cookies under the ePrivacy Regulation.^[24] Our argument was that websites need a means to store information to operate, even for ancillary operations that their visitors do not request (such as A/B testing, for example) without bothering their users. Certainly, consent is essential where personal data are concerned, or where there exists the possibility to access communications information, for example, or private photo albums. But where non-tracking cookies are concerned, there must be an easier way. Unless there is some provision for protecting the humble non-tracking cookie, websites’ ability to smoothly transition to privacy-by-design advertising will be harmed.

Notes

^[1] Regulation (EU) 2016/679 of The European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Article 2, paragraph 1, notes the material scope of the Regulation: “This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”

^[2] ibid., Recital 26.

^[3] This is because the ePrivacy Directive, Article 2, paragraph f, and Recital 17, say that consent under the ePrivacy Directive should have the same meaning as previously defined in the Data Protection Directive.

^[4] Article 94 of the GDPR repeals Directive 95/46/EC (the Data Protection Directive).

The ePrivacy Directive, Recital 17, says that “For the purposes of this Directive, consent of a user or subscriber, regardless of whether the latter is a natural or a legal person, should have the same meaning as the data subject’s consent as defined and further specified in Directive 95/46/EC. Consent may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting an Internet website.”
The ePD Article 2, (f) says “‘consent’ by a user or subscriber corresponds to the data subject’s consent in Directive 95/46/EC”.

^[5] The GDPR, Article 94, paragraph 2, says that references to the Data Protection Directive “shall be construed as references to this Regulation [the GDPR]”.

^[6] Judgment of the Court (Second Chamber) Patrick Breyer v Bundesrepublik Deutschland, Case C-582/14, 19 October 2016.

^[7] ibid., Article 4, paragraph 2.

^[8] ibid., Article 4, paragraph 7.

^[9] ibid., Article 4, paragraph 4.

^[10] “GDPR consent design: how granular must adtech opt-ins be?”, PageFair Insider, 8 January 2018 (URL: https://pagefair.com/blog/2018/granular-gdpr-consent/).

^[11] Note that the GDPR defines “controller” as an entity concerned with personal data. The definition in Article 4, paragraph 7, begins: “the natural or legal person … which … determines the purposes and means of the processing of personal data…”.

^[12] The GDPR, Article 13, paragraph 1, a.

^[13] ibid., Article 13, paragraph 1, b.

^[14] ibid., Article 13, paragraph 1, c.

^[15] ibid., Article 13, paragraph 1, e.

^[16] ibid., Article 13, paragraph 1, f.

^[17] ibid., Article 13, paragraph 2, a.

^[18] ibid., Article 13, paragraph 2, b.

^[19] ibid., Article 13, paragraph 2, c.

^[20] ibid., Article 13, paragraph 2, d.

^[21] ibid., Article 13, paragraph 2, e.

^[22] Note that “profiling” is defined in the GDPR as a processing of personal data. The definition in Article 4, paragraph 4 begins: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects…”

^[23] ibid., Article 13, paragraph 2, f.

^[24] PageFair to European Parliament ePrivacy rapporteurs, 5 July 2017, re “non-tracking cookies in the ePrivacy Regulation” (URL: https://pagefair.com/blog/2017/non-tracking-cookies/).

^[25] “Guidelines on consent under Regulation 2016/679”, Article 29 Working Party, 28 November 2017, p. 20.